可以黑客入侵网站的FTP，SSH和/或.htaccess文件？ [英] Can a hacker hack a website's FTP, SSH and/or .htaccess file?

问题描述

我知道，一个网站可以有一些漏洞，黑客可以使用，即使管理员尽他/她最好的，使他们的网站很安全。我要让我的网站的安全，并通过这样做，我要尽我所能，做到这一点。第一种方法，使之安全的提问及以下我要问的具体问题。

I know that a website can have some vulnerabilities that hackers could use even though the admin tries his/her best to make their website very secure. I want to make my website secure and by doing that I need to try my best to do so. First way to make it secure is to ask questions and below are the specific questions I want to ask.

这是我的具体问题：
1.可黑客访问我的网站的.htaccess文件？如果是的话，他们能修改吗？
2.能黑客让我的SSH root密码，即使SSH密码是18岁以上字符长？
3.能黑客得到我的FTP用户名和密码，即使FTP密码是18岁以上字符长？
4. SSH是更安全比FTP？

These are my specific questions:
1. Can a hacker access my website's .htaccess file? And if so, can they edit it?
2. Can a hacker get my SSH root password even if the SSH password is 18+ characters long?
3. Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?
4. Is SSH more secure than FTP?

推荐答案

注意：下面就是这可能不涉及这个议题的一半的一般信息，有吨的东西，你需要确保的，但下面的应该给你一个大概的了解。

NOTE: The below is just a general information which probably doesn't cover half of the subject, there are tons of things you need to make sure of but the below should give you a rough idea.

能否黑客访问我的网站的.htaccess文件？

Can a hacker access my website's .htaccess file?

是的，某些情况下会发生这种情况：

Yes, some scenarios this could happen:

• 如果您配置错了你的的httpd.conf 让人们老朋友.HT *页面默认情况下是禁止的的httpd.conf
• 如果你的服务器是为主机和您或您的用户没有正确地应用权限的文件，所以他们是其他帐户中访问。
• 如果您的web服务器不部署用户和组保护帐户
• 如果帐户没有植根于他们的文件夹。

• If you configure wrong your httpd.conf allowing people to visite .ht* pages which is by default forbidden on the httpd.conf
• If your server is meant for hosting and you or your users don't properly apply permission to their files so they are accessible within other accounts.
• If your webserver don't deploy user and group protection to accounts
• If accounts are not rooted to their folders.

如果是的话，他们能修改吗？

And if so, can they edit it?

是的，没有，只是访问来自浏览器中的文件将不授予他们访问编辑它，但是，在某些情况下，它可能会，例如：

Yes and no, just accessing the file from a browser will not grant them access to edit it, however in some cases it may be possible for instance:

• 如果您的codeS PHP的一个， perl的等有漏洞，那么是有可能
• 正如早期，如果你的websever没有每个帐户的用户和组再部署其他帐户将有从其他帐户访问文件
• 如果在的.htaccess 文件中设置的权限，例如 777 允许任何人都可以操纵该文件这将是编辑和读取他人帐户。

• If one of your codes PHP, perl, etc have vulnerabilities then yes it may be possible
• As mentioned early if your websever does not deploy per account user and group then others account will have access to the files from another account
• If the permission set on the .htaccess file is for instance 777 which allows ANYONE to manipulate that file it will be editable and readable from others account.

能否黑客让我的SSH root密码，即使SSH密码是18岁以上字符？

Can a hacker get my SSH root password even if the SSH password is 18+ characters long?

蛮力是不是抢别人的密码的唯一途径，如果你的电脑已经受到影响，如果你的服务是不是最新的最新的攻击和更多，它也可以让你的密码。

Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.

要防止这种最常见的方法是使你的SSH密码少，基本上你会拒绝直接访问根目录，使用密码阻止任何访问，并且只允许访问从一对正在生成的授权密钥钥匙。

The most common way to protect against this would be to make your SSH password-less, basically you will deny direct access to root, block any access using password and will only grant access to authorized keys that are generated from a pair of keys.

此键可以让你访问到具有该键允许被记录为pre定义的帐户。

This key would allow you access to a pre-defined account that have that key allowed to be logged as.

从你登录的，您可以使用须藤来运行命令以root或苏该帐户 - 经常账户切换到root。

From that account you've logged as, you can either use sudo to run commands as root or su - to switch the current account to root.

更改SSH端口为其他端口。

Change the SSH port to some other port.

使用防火墙，以prevent，赶上蛮力试图对某些端口，并阻止它。

Use your firewall to prevent and catch brute force attempts on certain ports and block it.

使用您的防火墙只允许你的IP来访问服务器，如果你的IP是静态的。

Use your firewall to allow only your IP to access the server if your IP is static.

使用防火墙阻止访问服务，不需要外部访问例如未使用的端口，如果你不提供MySQL的远程访问可以阻止访问端口3306，以及配置MySQL服务器绑定在本地主机只有

Use your firewall to block access to unused ports of service that do not require external access for example if you do not offer MySQL remote access you can block access to the port 3306 as well as configuring your MySQL server to bind on the localhost only.

能否黑客得到我的FTP用户名和密码，即使FTP密码是18岁以上字符？

Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?

蛮力是不是抢别人的密码的唯一途径，如果你的电脑已经受到影响，如果你的服务是不是最新的最新的攻击和更多，它也可以让你的密码。

Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.

时的SSH更安全比FTP？

Is SSH more secure than FTP?

他们是不同的协议和用于不同的目的，他们可以平等不安全或平等保护这一切都取决于系统管理员将其不断更新和安全。

They are different protocols and serve to different purpose and they can be equality insecure or equality secure it all depends on the System Administrator to keep it up to date and secure.

这篇关于可以黑客入侵网站的FTP，SSH和/或.htaccess文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！